CN108073817A - A kind of offline heap overflow bug excavation method based on active construction - Google Patents
A kind of offline heap overflow bug excavation method based on active construction Download PDFInfo
- Publication number
- CN108073817A CN108073817A CN201711266952.8A CN201711266952A CN108073817A CN 108073817 A CN108073817 A CN 108073817A CN 201711266952 A CN201711266952 A CN 201711266952A CN 108073817 A CN108073817 A CN 108073817A
- Authority
- CN
- China
- Prior art keywords
- heap
- overflow
- allocation
- program
- instruction
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/577—Assessing vulnerabilities and evaluating computer system security
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/03—Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
- G06F2221/033—Test or assess software
Landscapes
- Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computing Systems (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Debugging And Monitoring (AREA)
Abstract
The present invention provides a kind of offline heap overflow bug excavation method based on active construction, it is recorded (even if non-generating program collapses) by analysis program Dynamic Execution, operation being associated property analysis is accessed the Heap Allocation involved in execution and heap, for the access pair of each Heap Allocation, analyze its controlling attribute (whether being influenced by external input) and overflow condition, with reference to path constraints, it solves with the presence or absence of the input that can trigger potential heap overflow, and construct loophole sample (PoC files) and verified, so as to excavate potential heap overflow loophole.Specific aim is had more in contrast to general heap overflow bug excavation method, directly (there is a situation where Heap Allocation from the essence of heap overflow and access the inconsistent), whether can influence heap operation with reference to external input, excavate potential heap overflow loophole.It can directly point out the position (being different from collapse position) that heap overflow occurs, to repair convenient for Security Officer's analysis and developer simultaneously.
Description
Technical field
The invention belongs to Research on Discovering Software Vulnerabilities fields, and in particular to a kind of offline heap overflow leakage based on active construction
Hole method for digging.
Background technology
It is very serious a kind of security breaches that memory, which destroys loophole, wherein stack overflow loophole with protection mechanism it is perfect
Through being difficult with, and heap overflow loophole has been increasingly becoming the hot and difficult issue of research.By modes such as heap injection or geomantic omen heaps, attack
The person of hitting can utilize the attack effect that heap overflow loophole reaches arbitrary address read-write and arbitrary code performs, and have very big harm.
In existing heap bug excavation method, the method for static analysis exists because pointer aliasing, the problems such as rate of false alarm is high
Limitation.Dynamic is tested and the method for analysis is more and more applied.Fuzz testing (Fuzzing) is wherein widely applied
One of method, by generating substantial amounts of test sample, check whether can trigger collapse, judge software with the presence or absence of leakage
Hole.Such as the fuzz testing instrument AFL that increases income (American Fuzzy Loop) is found that substantial amounts of software based on aforesaid way
Loophole.In addition, the method for software dynamic analysis also achieves good effect applied to bug excavation, such as the Massachusetts Institute of Technology
The achievements such as the DIODE of Stelios et al. research and development, the Herbert of Vrije Universiteit Amsterdam et al. the Dowser of research and development, have sent out
Table is on the softwares such as ASPLOS, USENIX Security and safe top-level meeting.They pass through to sensitive in software implementation procedure
The positioning and analysis of operation have and instructively explore software execution state, excavate software vulnerability.
Although the bug excavation method of dynamic analysis has been achieved for very big progress and good application effect, so
And existing method still has following deficiency:
1) there are certain blindness, the collapse sample of discovery to still need substantial amounts of subsequent analysis and determine to leak for fuzz testing
Hole type 2) by heap Hole Detection find that heap overflow loophole has passivity, the triggering dependent on program crashing
3) software dynamic analysis correlation technique there are problems that analyzing data volume is excessive, analysis efficiency is low etc.
The content of the invention
For technical problem in the prior art, it is an object of the invention to provide it is a kind of based on active construction from
Line heap overflow bug excavation method records (even if non-generating program collapses), to being related in execution by analysis program Dynamic Execution
And Heap Allocation and heap access operation being associated property analysis, for each Heap Allocation-access pair, analyze its controlling attribute
Whether (being influenced by external input) and overflow condition, with reference to path constraints, potential heap can be triggered by solving whether there is
The input of spilling, and construct loophole sample (PoC files) and verified, so as to excavate potential heap overflow loophole.
The present invention adopts the technical scheme that:
A kind of offline heap overflow bug excavation method based on active construction, its step are as follows:
The performance objective program in dynamic analysis environment obtains the instruction record of Dynamic Execution process;
Instruction record is scanned, finds and tracks Heap Allocation function, according to the parameter of Heap Allocation function, reconstruct and tie up
Protect heap state during program operation process;
In scanning process, into line pointer tainting;When carrying out heap access operation by heap pointer, pass through heap pointer
Stain information trace back to the operation of corresponding Heap Allocation, establish the association of Heap Allocation-access operation;
Mark external input is stain source, carries out data tainting;When finding that Heap Allocation operation or heap access operation,
Whether the relevant parameter that detection Heap Allocation or heap access operation is marked by data stain, records stain information and heap state letter
Breath;
To the operation of each associated Heap Allocation-access, according to its data stain state and heap state and heap overflow
Type constructs potential overflow condition;
Instruction record is scanned again, is extracted since external stain data enter program, to there are potential spillings
Path constraints in the program execution path of possible Heap Allocation-access pair with reference to heap overflow condition, form the heap point
With-access pair final overflow condition;
Final overflow condition is solved, if any solution, then sample file is generated according to solving result, operation program and is inputted again
Sample file, to verify heap overflow loophole.
Further, the Heap Allocation function is selected from malloc functions, free functions.
Further, the performance objective program in dynamic analysis environment includes:
Primordial seed file is opened by target program, obtains the instruction record of Dynamic Execution process;
Described instruction record includes register information when command information, operation.
Further, the sample file is that the seed file original according to the solving result modification of final overflow condition obtains
.
Further, described pair of instruction record is scanned, and finding and tracking Heap Allocation function includes:
According to the command offsets address of Heap Allocation function, Heap Allocation operational order is found in instruction records;
The parameter of Heap Allocation operation is extracted by the context for analyzing Heap Allocation operational order;
The parameter includes:Allocated size, distribution address.
Further, the pointer tainting is regular using the tainting of tape symbol label;The data stain passes
Broadcast the tainting rule using tape label;
The final overflow condition is expressed as the character expression form that can be solved;
Character expression uses the rule of Z3-Python, and X86 is instructed and is converted into Z3-Python's according to instruction semantic
Expression formula.
Further, the heap overflow condition is indicating whether that the scope accessed there are heap is more than the scope of Heap Allocation
Situation exists, and indicates the possibility of heap overflow;
Path constraints pass through potential heap overflow loophole to represent whether target program performs along fragile path
Distribution and access operation.In this way, then it represents that meet path constraints.
Further, the final overflow condition of solution includes:Using Z3 as symbol solving device;If any solution, then obtain
Solving result to show in primordial seed file with the relevant byte of heap overflow condition, and meet heap overflow condition to byte
Value.
A kind of server, including memory and processor, the memory storage computer program, described program by with
It is set to and is performed by the processor, described program includes performing the instruction of each step in preceding method.
A kind of computer readable storage medium for storing computer program, the computer program include instruction, the finger
Make each step caused when being performed by the processor of server in the server execution preceding method.
By taking above-mentioned technical proposal, the present invention finds external input by tainting can influence phase to operation
Halfbyte, then the method by path constraint and overflow condition being converted into character expression solution actively construct sample triggering
Potential heap overflow loophole improves the active mining ability of heap overflow loophole.
And by the data tainting of tape label and the pointer tainting of symbol label, improve tainting side
The accuracy and descriptive power of method.Dependent instruction is converted into again by first carrying out tainting the side of Z3-Python expression formulas
Method reduces the instruction number for needing symbolism, improves the efficiency and availability of heap overflow bug excavation.
Specific aim is had more in contrast to general heap overflow bug excavation method, directly (i.e. there are heaps from the essence of heap overflow
Distribute and access inconsistent situation) it sets out, whether heap operation can be influenced with reference to external input, excavate potential heap overflow leakage
Hole.The position (being different from collapse position) that heap overflow occurs can be directly pointed out simultaneously, convenient for Security Officer's analysis and developer
It repairs.
Description of the drawings
Fig. 1 is the flow chart of the offline heap overflow bug excavation method based on active construction in one embodiment of the invention.
Fig. 2 is to open normal mbm files using XnView softwares in one embodiment of the invention, obtains program and performs record
Schematic diagram.
Fig. 3 is the schematic diagram of the Heap Allocation-access pair recorded in one embodiment of the invention.
Fig. 4 is that the PythonZ3 comprising final overflow condition generated in one embodiment of the invention can seek solution's expression shape
The schematic diagram of formula description.
Fig. 5 be one embodiment of the invention in solve PythonZ3 expression formulas obtain, can result in XnView software crash
PoC file schematic diagrames.
Specific embodiment
The technical solution that the invention will now be described in detail with reference to the accompanying drawings:
As shown in Figure 1, a kind of offline heap overflow bug excavation method based on active construction, including step:
The performance objective program in dynamic analysis environment obtains the instruction record of Dynamic Execution process, and subsequent analysis is base
In the off-line analysis of instruction record;
The analysis object of the present embodiment is the Dynamic Execution record of program, however is not required for how obtaining.Such as use PIN
The instruments of grade can also obtain Dynamic Execution record, have relevant paper and instrument, the present invention is using modification QEMU source codes, in system
The mode of bottom instruction translation process insertion analysis code, the instruction of record operation while program Dynamic Execution, and according to
Subsequent analysis requires the contextual information of recording instruction.Subsequent analysis will use recording instruction relevant information, including instructing and posting
Storage information.
Wherein, the performance objective program in dynamic analysis environment opens original seed file (either with target program
It is no can trigger collapse), obtain Dynamic Execution process instruction record, including command information, operation when register information
Deng;New file is the processing procedure by analyzing primordial seed file, and after pinpointing the problems, modification original document obtains, kind
Subfile is constructs the basis of sample file, in performance objective program process, so it is the application to open primordial seed file
Necessary operation.
Instruction record is scanned, finds and tracks Heap Allocation function (such as malloc, free), according to Heap Allocation letter
Several parameters reconstructs heap state during simultaneously maintenance program operational process;
Conversed analysis binary command records, and the offset of (such as malloc, free) is called according to the relevant system of Heap Allocation
Address calculation obtains the entrance and exit address of current system calling, so as to obtain the parameter of calling and return value, i.e. Heap Allocation
Size and address, while record the time (instruction record number) of distribution.According to the variation of heap, the heap state of recovery routine,
And safeguard that heap state table is inquired about convenient for subsequent analysis.
According to the command offsets address of Heap Allocation function, Heap Allocation operation is found in instruction records and (is grasped including release
Make), Heap Allocation is extracted by the context for analyzing Heap Allocation dependent instruction and operates relevant parameter, including allocated size, distributively
The information such as location.It marks to record these information using heap state, and is updated with the process of analysis.
Meanwhile the return pointer of Heap Allocation function is marked as stain source, during writing scan is instructed, into line pointer
Tainting calculates.When carrying out heap access operation by heap pointer, corresponding heap is traced back to by the stain information of heap pointer
The relation that heap accesses operation and the operation of corresponding Heap Allocation is established in batch operation;
At the time of the return of Heap Allocation function, with function return value (address distributed) for stain label, tracking refers to
To the pointer communication process of distribution heap address.At the time of pointer dereference (i.e. heap accesses operation), the stain mark of pointer is inquired about
Label, obtain corresponding Heap Allocation operation information, are associated so as to which heap is accessed operation and Heap Allocation operation, are recorded as heap point
With-access pair.
It particularly points out, during into line pointer tainting, for Correct pointer calculating process, is accorded with using band
Number label propagation rule.Specifically EAX is that pointer stain TaintEAX, EBX are pointer stain TaintEBX, before
Method thinks SUB EAX, after EBX EAX no longer represent pointer and bleaching stains, subsequently there are command M OV ESI, EAX and ADD
The pointer stain of ESI, EBX, ESI are TaintEBX, however ESI=(EAX-EBX)+EBX=EAX.Therefore using tape symbol
Stain label, the label of EAX is (TaintEAX ,-TaintEBX) after SUB EAX, EBX, the ESI after ADD ESI, EBX
Stain label be TaintEAX.
That is, after Heap Allocation operation is found, the return pointer of mark Heap Allocation function is stain source, is referred to
Pin tainting calculates.When heap pointer is by dereference, that is, occur heap access operation when, detect pointer stain state and
Corresponding Heap Allocation operation information is recalled in stain source, and the form that these information records are Heap Allocation-access pair.
Meanwhile it is stain source to mark external input, during instruction scan, carries out data tainting calculating.Work as hair
When now Heap Allocation operation or heap access operation, whether the relevant parameter (such as the size of distribution) of detection Heap Allocation or heap access operation
It is marked by data stain, records stain information and heap status information at that time to corresponding Heap Allocation-access centering.
At the time of external input enters program, using externally input document misregistration as stain label, trace routine processing
The process of input.At the time of Heap Allocation or access, check whether the parameter of Heap Allocation or the parameter of heap access are stain, from
And judge whether that external input influences the situation of heap operation, labeled as dangerous Heap Allocation-access pair.
To each associated Heap Allocation-access operation, according to its data stain state and heap state at that time and heap
(whether the relevant parameter that Heap Allocation operates or heap accesses operation is subject to externally input the type of spilling comprising data stain
Control), construct potential heap overflow condition (scope that i.e. heap accesses is more than the scope of Heap Allocation).
Instruction record is scanned again, is extracted since external stain data enter program, to there are potential spillings
Path constraints in the program execution path of possible Heap Allocation-access pair with reference to heap overflow condition, form the heap point
With-final the overflow condition that accesses pair, which is expressed as the character expression form that can be solved;
For dangerous Heap Allocation-access pair, according to the data stain label that Heap Allocation or heap access, extraction instruction record
In access instruction recorded segment operation to the heap operation centering heap from reading in related stain, and the instruction of x86 is recorded
Solution's expression situation can be sought by being expressed as Z3-Python according to instruction semantic.Such as MOV EAX, EBX be expressed as (m_0=m_4,
M_1=m_5, m_2=m_6, m_3=m_7), wherein EAX is expressed as (m_0-m_3), and EBX is expressed as (m_4-m_7) if numbers
Jump instruction is influenced according to stain, is path constraints;The operation moment is accessed in heap, (i.e. heap is visited according to the principle of heap overflow
The scope asked is more than the scope of Heap Allocation) construction heap overflow condition, it is expressed as inequality form.
Overflow condition is solved using symbol solving device, if there is solution, is illustrated in the presence of the possibility overflowed.According to solving result
Original seed file is changed, generates new sample file.Operation program and new sample file is inputted again, detect heap overflow
The triggering situation of loophole is finally able to verify that PoC files existing for loophole, to verify that the true of heap overflow loophole is deposited
.
In addition, it is above-mentioned get instruction record include instruct EIP, related register (such as EAX, EBX, ECX,
EDX, ESI, EDI, EBP, ESP etc.) content, instruction machine code, record number.
The offset address of Heap Allocation function uses opposite offset, related, the root such as occurrence and DLL versions, DLL load addresses
It is searched according to occurrence in instruction records.Heap Allocation operation relevant information (such as Heap Allocation size, address) passes through manually reverse
It obtains, information is extracted at corresponding instruction.
Pointer tainting is regular using the tainting of tape symbol label;Data tainting uses the stain of tape label
Propagation rule.Difference lies in whether stain label has positive and negative attribute for it.
Character expression uses the rule of Z3-Python, and X86 is instructed and is converted into Z3-Python's according to instruction semantic
Expression formula.Wherein heap overflow condition refers to, if the scope that there is a situation where heap access is more than the scope of Heap Allocation;There are the situations
Mean to have the possible path constraints of heap overflow to refer to, if can ensure that program is performed along fragile path by potential
The distribution of heap overflow loophole and access operation.If being, this means that meeting path constraints
Using Z3 as symbol solving device, if there is solution, the input for existing and meeting overflow condition is represented, i.e., there are heap overflows
Loophole and input can convert corresponding byte according to solving result;Obtained the results show overflow condition and original
The syllable dependent of which of seed file, and providing associated byte should take any value that could meet overflow condition.According to this
It is a as a result, modification primordial seed file, obtain to trigger the PoC files of heap overflow exception, associated byte is by above
External input stain source, which is propagated, to be obtained.If without solution, represent there is no the input for meeting overflow condition, i.e. the heap of present analysis divides
With-access possibility to spilling is not present.
Complete bug excavation process can be dropped after sample file is generated by running, detecting loophole triggering again
Low wrong report also needs to trigger operation program by sample after sample is constructed so as to detect loophole.
It is illustrated below by a specific example:
Exemplified by heap overflow loophole CVE-2010-1932 when XnView softwares are handling mbm files, in dynamic analysis ring
In border, normal mbm files are opened using XnView softwares, program is obtained and performs record, as shown in Figure 2.
Off-line analysis is carried out by being recorded to instruction, obtains carrying out Heap Allocation in program process and heap accesses operation
Record, and the form of Heap Allocation-access pair is recorded as, it is illustrated in fig. 3 shown below.
Heap Allocation-access is also recorded for data stain situation in, for example, the first row represent id in record be 8204 when
Time has occurred Heap Allocation and operates, 12 syllable dependents in allocation of parameters and input file;Heap access has occurred in id when being 8783
Operation, access be 8204 when distribution heap space, access operation parameter and 1 syllable dependent.To each Heap Allocation-
Access pair, scan instruction record, obtains path constraints again, with reference to overflow condition, generates the table that PythonZ3 can be solved
Up to formula form, as shown in Figure 4.
One group of solution is obtained using Z3 solvers, it is meant that the Heap Allocation-access is to being implicitly present in the possibility of spilling, and root
According to results modification primordial seed file, obtain to cause the PoC files of XnView software crash, as shown in Figure 5.
By the description of above-described embodiment, for a person skilled in the art, oneself can obtain as needed
Dynamic Execution record is taken, add more complicated propagation rule or adds more complicated heap overflow condition, is found more so as to reach
The purpose of potential heap overflow loophole.
Each embodiment of the application describes method can realize that program can be stored in calculating by the form of executable program
Machine readable storage medium storing program for executing can also be performed by processor.
Although disclosing specific embodiments of the present invention and attached drawing for the purpose of illustration, its object is to help to understand the present invention
Content and implement according to this, but it will be appreciated by those skilled in the art that:The present invention and appended claim are not being departed from
Spirit and scope in, it is various replace, change and modification be all possible.Therefore, the present invention should not be limited to most preferred embodiment
With attached drawing disclosure of that, the scope of protection of present invention is subject to the scope that claims define.
Claims (10)
1. a kind of offline heap overflow bug excavation method based on active construction, its step are as follows:
The performance objective program in dynamic analysis environment obtains the instruction record of Dynamic Execution process;
Instruction record is scanned, finds and tracks Heap Allocation function, according to the parameter of Heap Allocation function, reconstruct and safeguard journey
Heap state during sort run process;
In scanning process, into line pointer tainting;When carrying out heap access operation by heap pointer, pass through the dirt of heap pointer
Point information traces back to corresponding Heap Allocation operation, establishes the association of Heap Allocation-access operation;
Mark external input is stain source, carries out data tainting;When finding that Heap Allocation operation or heap access operation, detection
Whether the relevant parameter that Heap Allocation or heap access operation is marked by data stain, records stain information and heap status information;
To the operation of each associated Heap Allocation-access, according to its data stain state and heap state and the type of heap overflow,
Construct potential overflow condition;
Instruction record is scanned again, is extracted since external stain data enter program, to there are potential spilling possibility
Heap Allocation-access pair program execution path on path constraints, with reference to heap overflow condition, form the Heap Allocation-visit
Ask to final overflow condition;
Final overflow condition is solved, if any solution, then sample file is generated according to solving result, again operation program and input sample
File, to verify heap overflow loophole.
2. the offline heap overflow bug excavation method as described in claim 1 based on active construction, which is characterized in that the heap
Partition function is selected from malloc functions, free functions.
3. the offline heap overflow bug excavation method as claimed in claim 1 or 2 based on active construction, which is characterized in that institute
Stating the performance objective program in dynamic analysis environment includes:
Primordial seed file is opened by target program, obtains the instruction record of Dynamic Execution process;
Described instruction record includes register information when command information, operation.
4. the offline heap overflow bug excavation method as claimed in claim 3 based on active construction, which is characterized in that the sample
This document is that the seed file original according to the solving result modification of final overflow condition obtains.
5. the offline heap overflow bug excavation method as described in claim 1 based on active construction, which is characterized in that described right
Instruction record is scanned, and finding and tracking Heap Allocation function includes:
According to the command offsets address of Heap Allocation function, Heap Allocation operational order is found in instruction records;
The parameter of Heap Allocation operation is extracted by the context for analyzing Heap Allocation operational order;
The parameter includes:Allocated size, distribution address.
6. the offline heap overflow bug excavation method as claimed in claim 5 based on active construction, which is characterized in that the finger
Pin tainting is regular using the tainting of tape symbol label;The data tainting is advised using the tainting of tape label
Then;
The final overflow condition is expressed as the character expression form that can be solved;
Character expression uses the rule of Z3-Python, and X86 is instructed to the expression that Z3-Python is converted into according to instruction semantic
Formula.
7. the offline heap overflow bug excavation method as claimed in claim 6 based on active construction, which is characterized in that the heap
Overflow condition is more than the scope of Heap Allocation to indicate whether there is a situation where the scope of heap access, exists, indicates heap overflow
Possibility;
Path constraints pass through dividing for potential heap overflow loophole to represent whether target program performs along fragile path
Match somebody with somebody and access operation.In this way, then it represents that meet path constraints.
8. the offline heap overflow bug excavation method as claimed in claim 7 based on active construction, which is characterized in that described to ask
Solving final overflow condition includes:Using Z3 as symbol solving device;If any solution, then the solving result obtained is showing original species
With the relevant byte of heap overflow condition in subfile, and meet the value of heap overflow condition to byte.
9. a kind of server, including memory and processor, the memory storage computer program, described program is configured
To be performed by the processor, described program is included for the finger of each step in any one of perform claim requirement 1 to 8 the method
Order.
10. a kind of computer readable storage medium for storing computer program, the computer program include instruction, described instruction
Cause when being performed by the processor of server each in any one of the server perform claim requirement 1 to 8 the method
Step.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201711266952.8A CN108073817A (en) | 2017-12-05 | 2017-12-05 | A kind of offline heap overflow bug excavation method based on active construction |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201711266952.8A CN108073817A (en) | 2017-12-05 | 2017-12-05 | A kind of offline heap overflow bug excavation method based on active construction |
Publications (1)
Publication Number | Publication Date |
---|---|
CN108073817A true CN108073817A (en) | 2018-05-25 |
Family
ID=62157818
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201711266952.8A Pending CN108073817A (en) | 2017-12-05 | 2017-12-05 | A kind of offline heap overflow bug excavation method based on active construction |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN108073817A (en) |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109948346A (en) * | 2019-04-09 | 2019-06-28 | 苏州浪潮智能科技有限公司 | A kind of loophole PoC implementation method and device |
CN111625833A (en) * | 2020-04-13 | 2020-09-04 | 中国科学院软件研究所 | Efficient method and device for judging reuse vulnerability after software program release |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20080016314A1 (en) * | 2006-07-12 | 2008-01-17 | Lixin Li | Diversity-based security system and method |
US20090319256A1 (en) * | 2008-06-20 | 2009-12-24 | Vmware, Inc. | Decoupling dynamic program analysis from execution across heterogeneous systems |
CN103198260A (en) * | 2013-03-28 | 2013-07-10 | 中国科学院信息工程研究所 | Automation positioning method for binary system program vulnerabilities |
CN104008053A (en) * | 2014-05-28 | 2014-08-27 | 电子科技大学 | Dynamic symbol execution path searching method for finding vulnerabilities |
CN106850582A (en) * | 2017-01-05 | 2017-06-13 | 中国电子科技网络信息安全有限公司 | A kind of APT Advanced threat detection methods based on instruction monitoring |
-
2017
- 2017-12-05 CN CN201711266952.8A patent/CN108073817A/en active Pending
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20080016314A1 (en) * | 2006-07-12 | 2008-01-17 | Lixin Li | Diversity-based security system and method |
US20090319256A1 (en) * | 2008-06-20 | 2009-12-24 | Vmware, Inc. | Decoupling dynamic program analysis from execution across heterogeneous systems |
CN103198260A (en) * | 2013-03-28 | 2013-07-10 | 中国科学院信息工程研究所 | Automation positioning method for binary system program vulnerabilities |
CN104008053A (en) * | 2014-05-28 | 2014-08-27 | 电子科技大学 | Dynamic symbol execution path searching method for finding vulnerabilities |
CN106850582A (en) * | 2017-01-05 | 2017-06-13 | 中国电子科技网络信息安全有限公司 | A kind of APT Advanced threat detection methods based on instruction monitoring |
Non-Patent Citations (3)
Title |
---|
XIANGKUN JIA ET AL.: "Towards efficient heap overflow discovery", 《HTTPS://DL.ACM.ORG/DOI/ABS/10.5555/3241189.3241267》 * |
刘洋: "基于动态污点分析的二进制程序缓冲区溢出的研究", 《中国优秀硕士学位论文全文数据库 信息科技辑》 * |
赵晶玲等: "基于离线汇编指令流分析的恶意程序算法识别技术", 《清华大学学报(自然科学版)》 * |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109948346A (en) * | 2019-04-09 | 2019-06-28 | 苏州浪潮智能科技有限公司 | A kind of loophole PoC implementation method and device |
CN111625833A (en) * | 2020-04-13 | 2020-09-04 | 中国科学院软件研究所 | Efficient method and device for judging reuse vulnerability after software program release |
CN111625833B (en) * | 2020-04-13 | 2023-06-13 | 中国科学院软件研究所 | Efficient method and device for judging reuse loopholes after release of software program |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN109583200B (en) | Program abnormity analysis method based on dynamic taint propagation | |
JP5430570B2 (en) | Method for test suite reduction by system call coverage criteria | |
US10380349B2 (en) | Security analysis using relational abstraction of data structures | |
Huang et al. | Software crash analysis for automatic exploit generation on binary programs | |
US10599558B1 (en) | System and method for identifying inputs to trigger software bugs | |
Kirbas et al. | The relationship between evolutionary coupling and defects in large industrial software | |
CN110941552A (en) | Memory analysis method and device based on dynamic taint analysis | |
US12093398B2 (en) | Vulnerability analysis and reporting for embedded systems | |
CN111832026B (en) | Vulnerability utilization positioning method, system, device and medium | |
KR101979329B1 (en) | Method and apparatus for tracking security vulnerable input data of executable binaries thereof | |
Wei et al. | State-sensitive points-to analysis for the dynamic behavior of JavaScript objects | |
Kratkiewicz et al. | Using a diagnostic corpus of C programs to evaluate buffer overflow detection by static analysis tools | |
Park et al. | unicorn: a unified approach for localizing non‐deadlock concurrency bugs | |
Cloosters et al. | {SGXFuzz}: Efficiently synthesizing nested structures for {SGX} enclave fuzzing | |
Pagani et al. | Back to the whiteboard: A principled approach for the assessment and design of memory forensic techniques | |
CN108073817A (en) | A kind of offline heap overflow bug excavation method based on active construction | |
Suneja et al. | Towards reliable AI for source code understanding | |
Bai et al. | Mining and checking paired functions in device drivers using characteristic fault injection | |
CN114741700B (en) | Public component library vulnerability availability analysis method and device based on symbolized stain analysis | |
Mercier et al. | dynStruct: An automatic reverse engineering tool for structure recovery and memory use analysis | |
CN102708054A (en) | Detection method for security flaws in loop write-only memory of binary program | |
CN115712899A (en) | Code analysis method and device, electronic equipment and storage medium | |
Wikman | Static analysis tools for detecting stack-based buffer overflows | |
CN111858307B (en) | Fuzzy test method and equipment | |
Ahmed et al. | Not All Data are Created Equal: Data and Pointer Prioritization for Scalable Protection Against {Data-Oriented} Attacks |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
WD01 | Invention patent application deemed withdrawn after publication | ||
WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20180525 |